Cover story: Machine Safety Integration

Should you bolt-on or design-in machine safety? Procedures are changing in light of international regulations. Machine safety survey results indicate respondents aren’t as ready as they could be, but are moving in the right direction. Safety integration webcast tells how to get ready, lower risk, and increase profitability.

Mark T. Hoske, Control Engineering

04/12/2011

A traditional machine safety approach often takes on a separate hardwired, bolted-on, after-the-fact machine safety structure, one often seen by operators as an impediment to productivity and, possibly, something to circumvent when hurried. When safety is integrated into machine design or a plant floor manufacturing cell, it incorporates regulatory requirements and productivity concerns up front. Safety integration also brings opportunities for gaining competitive advantage, offering greater efficiency without extra maintenance and capital costs of dedicated safety equipment and related point-to-point wiring. Machine safety and risk assessment is changing in light of OSHA and international regulations and standards. [For more on that, see the Safety Integration webcast.]

A sampling of Control Engineering newsletter subscribers in cooperation with VDC Research found many don’t expect to comply with anticipated European safety directives by year end and many expect they’ll need help. Separately, IMS Research reported on March 17 that global revenues for discrete machine safety components will increase more than 43% for the period 2010 to 2015, exceeding $2.15 billion in 2015, up from $1.5 billion. Why? Changes in machine safety laws and, IMS said, end users increasingly see that “machine safety is a way to increase productivity, rather than being a cost.”

Mark Watson, research manager at IMS Research and author of a related report, said benefits include “wider adoption of programmable safety components, faster identification and rectification of safety-related problems, and increased productivity due to reduced downtime.” IMS Research also noted, “If suppliers can provide safety components that can be easily integrated with control components, then overall system performance will increase. Machine safety should be marketed as a benefit because operators are protected from hazards and machine downtime is minimized.”

Survey: Not ready for machine safety directive

What’s the reader readiness for present and possible future changes in machine safety regulations? Control Engineering worked with VDC Research to ask Control Engineering newsletter readers. The questions below were a subset of a larger safety survey. Preliminary responses from two weeks in March follow.

European Commission’s Machinery Directive’s functional safety compliance anticipated deadline is Dec. 31, 2011, to transition from EN 954-1, the standard that categorizes safety levels. If you’re a machine builder or system integrator, it’s expected you will need to conform to EN ISO 13849-1 or EN/IEC 62061 to demonstrate compliance by assessing safety component reliability and adding a quantitative calculation to the control safety system design. Slightly more respondents chose the first over the second as the means for compliance.

As of March, less than one third of respondents said they were nearly prepared or fully prepared for the anticipated directive. As of the anticipated December deadline, about half said they expected to be prepared or fully prepared for the anticipated directive.

Nearly 40% expected to use outside tools or help to achieve compliance, and over 40% didn’t know if they were going to need help. Just 20% didn’t expect they’d need assistance to comply by year end. As for the touted benefits of the Machinery Directive’s functional safety compliance— more predictable performance, greater reliability and availability, and improved return on investment—more were neutral or had no opinion than were positive. More were positive than negative about that view, however.

As for U.S. regulations, NFPA 79 provisions allowing integration of control systems and safety systems seem to be gaining ground. As of March, nearly a quarter of respondents had integrated 20% or less of control and safety systems; three years from now, just 2% expect to have so little integrated. On the top side, 33% said that more than 80% of control and safety systems are integrated; three years from now, 37% expect that level of integration. More details follow.

For those complying with the anticipated Dec. 31, 2011, Machinery Directive requirements, compliance will be met by following:

43% EN ISO 13849-1 (“Safety of machinery, Safety-related parts of control systems”) builds on EN 954-1, specifying system reliability in one of five performance levels (PLs) based on a “hardware-oriented structure;” calculated mean time to dangerous failure; and diagnostic coverage of the safety function. A significant revision in the standard requires defining the statistical probability of an unwanted occurrence or failure. It forces the designer to validate that the control system does what is required of it. This standard applies beyond electric/electronic systems to include mechanical, hydraulic, and pneumatic safety-related parts of the control systems.

38% EN/IEC 62061 (“Safety of Machinery— Functional safety of safety-related electrical, electronic, and programmable electronic control systems”) describes the amount of risk to be reduced and ability of a control system to reduce that risk according to safety integrity level (SIL). The machinery sector uses three SILs; SIL 1 is the lowest and SIL 3 is the highest safety function. The subsystems making up the system that implements the safety function must have an appropriate SIL capability.

19% said they didn’t know yet.

By the anticipated Dec. 31, 2011, Machinery Directive deadline, readers expected to be this percentage compliant:

5% said they’d be 0-20% compliant

5% said 21-40%

5% said 41-60%

5% said 61-80%

29% said they didn’t know

Those involved with the new Machinery Directive standards say that although they require more steps and procedures, they will help create machines that have more predictable performance, greater reliability and availability, and improved return on investment. Do those taking the survey agree?

A safety PLC with I/O modules on an Ethernet protocol helps maximize efficiency in body shop, decreasing downtime and adding visualization. For Kia Motors Corp., optimizing manufacturing processes to maximize efficiency and productivity has become more important than ever, according to information from Rockwell Automation. Kia Motor Slovakia (KMS) required an integrated solution where information and devices are connected seamlessly to each other.

KMS’s body shop was operating with a programmable logic control and related software; its body complete (BC) line was assembling all moving parts, with manual handling by 20 workers. Frequent breakdowns decreased productivity and sometimes halted production.

The BC line was configured with safety relays and guarded with safety scanners and relays. The safety relays had complicated wiring and long conductor routing from the safety device to the relay in the main cabinet, without a bypass function from the scanners.

The safety circuits or the safety devices caused a lot of small line stops, and it was often difficult to identify the reason for or location of the failure. Replacement often took a long time.

The safety controller expanded upon existing processors in use, adding safety firmware and a safety processor. Remote safety I/O modules also were added and connected to an Ethernet network and visualization of safety conditions, alarms, emergency events, and programming of the control system. Visualization was developed for the existing human-machine interface (HMI). The safety PLCs have a common programming environment with existing PLCs, along with common networks, I/O modules, and a common control engine, integrating Safety Integrity Level (SIL) 3 control in an environment said to be easy to use, which reduces development time and application costs.

In traditional designs, if a person entered the cell or if one device failed during production, the line stopped until resolution. KMS had to check each area and its devices to discover the problem. It was difficult to identify the failure, and KMS was unable to discern which safety button was pushed.

With the new design, the line was divided into five zones, each zone with a cabinet, safety I/O modules, and 2-3 m of wiring. Each module was connected to the safety PLC via Ethernet using the same programming software. Each scanner had a bypass function with the possibility of light signaling the relevant zone and signals the location. The operator can easily communicate with each zone with visualization via Ethernet protocol. A failure can be identified and recovered; other zones continue operating. The new platform reduces maintenance and troubleshooting, and increases safety.

KMS plans to expand and apply the integrated safety concept to other lines. Ability to identify the failure and solve problems quickly has “dramatically increased productivity by reducing up to 70% of the safety breakdown time,” said Ondrey Vasek, maintenance manager in body, KMS.

Safety for robotics

For robotic safety, ANSI/RIA/ISO 10218-1-2007-American National Standard is among applicable standards, according to information from Beckhoff Automation. Section 5.4 covers safety-related control system performance (hardware/software).

“5.4.1 General: Safety-related control systems (electric, hydraulic, pneumatic, and software) shall meet the performance criteria listed in 5.4.2 as a minimum, unless the results of a risk assessment determine that an alternate performance criteria per 5.4.3 is appropriate. The safety-related control system performance that the piece of equipment meets shall be clearly stated in the information for use provided with the equipment.

“For the purpose of this part of ANSI/RIA/ ISO 10218, safety-related control system performance is stated as categories as described in ISO 13849-1:1999. Other standards offering alternative performance requirements such as control reliability, performance levels, and safety integrity levels may also be used. When using these standards to design safety-related control systems, care should be taken to ensure that an equivalent level of risk reduction is achieved.

“5.4.2 Performance requirement: When safety- related control systems are required, the safety- related parts shall be designed so that: a) a single fault in any of these parts does not lead to the loss of the safety function; b) whenever reasonably practicable, the single fault shall be detected at or before the next demand upon the safety function; c) when the single fault occurs, the safety function is always performed and a safe state shall be maintained until the detected fault is corrected; and d) all reasonably foreseeable faults shall be detected. This requirement is considered to be a category 3 as described in ISO 13849-1:1999

“5.4.3 Other control system performance criteria: The results of a comprehensive risk assessment performed on the robot and its intended application may determine that a safety- related control system performance other than category 3 (i.e. categories 2 or 4) is warranted for the application. Other performance criteria are described in ISO 13849- 1:1999. Selection of one of these other safety-related performance criteria shall be specifically identified, and appropriate limitations and cautions shall be included in the information for use provided with the affected equipment.”

Hazard / risk categories

For U.S. electrical workplace safety, the key standard is National Fire Protection Association (NFPA) 70E, Standard for Electrical Safety in the Workplace, according to information from Fluke.

The U.S. Occupational Safety and Health Administration (OSHA) refers to NFPA 70E for electrical safety. The preferred way to work on hazardous electrical circuits is with the power off. Equipment that could be turned on must be locked out and tagged. Some tests aren’t possible unless circuits are live.

The 2009 Edition of NFPA 70E cites American National Standards Institute (ANSI)/ISA- 61010-1 (82.02.01)/UL 61010-1, also International Electrotechnical Commission (IEC) 61010. Measurement categories (CAT) listed in the standards cover systems of 1000 volts or less, including 480-volt and 600-volt, three-phase circuits. They define the danger of transient voltage spikes and electrical arc flash and differentiate the severity by location, voltage level, and potential for harm. ANSI, the Canadian Standards Association (CSA) and IEC define four measurement categories.

CAT IV is applicable to test and measuring circuits connected at the source of the building’s low-voltage MAINS installation.

CAT III is applicable to test and measuring circuits connected to the distribution part of the building’s lowvoltage MAINS installation.

CAT II is applicable to test and measuring circuits connected directly to utilization points (socket outlets and similar points) of the low-voltage MAINS installation.

CAT I defines non-CAT rated products that are not intended to be directly connected to the MAINS supply

Integrating control and safety increases productivity

Integrated safety and controls allow faster and easier implementation of new machine safety requirements. Industrial automation is now considerably more flexible and open than ever, and modern machines and plants have significantly increased productivity by integrating controls and safety. This is because, in many cases, relay technology has been replaced by the programmable controller and decentralization with distributed I/O, according to John D’Silva, marketing manager, safety integrated, Siemens Industry Inc.

"For example, Kuka sought to simplify its safety system with a new, cost-effective method for safety management and controls using a fail-safe controller with high diagnostic capability. This would have saved thousands in wiring and troubleshooting. However, moving from hardwired safety relays to a standalone safety PLC-based method was not enough. Combining machine safety and standard machine control on one fieldbus was the key to nearly eliminating all relays and “out-to-the-field” wiring. This significantly reduced control panel space requirements, hardware, engineering design, troubleshooting, and overall wiring costs.

"Integrating controls and safety offers numerous advantages for machine manufacturers and plant operators, especially from an economic point of view. Machines and plants can be implemented significantly faster and are easy to adapt to new machine safety requirements. Plant operators also profit from integrated safety through safer machines and plants, and more productive and faster ones. A consistent, complete system with safety engineering and standard automation reduces downtimes and increases availability due to improved diagnostics.

"Compared to conventional safety engineering, integrated safety also facilitates conversion and modernization. Existing machines and plants can be upgraded to new technology more economically due to flexible concepts and modular expansion.

"What’s happening with safety today is similar to what has already happened with motion control. In the past, motion was treated separately from the control system. However, a great percentage of machines are now doing motion on a platform with control logic integrated. This integration does away with a lot of the interconnected wiring and interconnected communications," D'Silva said.

"In the past, large production systems had a single circuit. In the event of an emergency stop the circuit was completely switched off, and operators were regularly faced with the task of finding the cause,” said Erik Dommerholt, software development manager at Voortman Automatisering (see photo), a Dutch manufacturer of steel processing machinery. Safety I/O modules pinpoint where the emergency stop was triggered. “The response is also known, since the function is coupled to the module. In addition, wiring of the safety circuit is simpler,” he added. Yellow terminals show the Beckhoff Automation Twin-Safe safety I/O technology.

Certification

Increased productivity with integrated safety: B&R said Feb. 18 that it was the first manufacturer to obtain certification for a fully digital servo drive safety system, including everything from sensors to actuators. With the servo drives from the ACOPOSmulti product family (certified in February 2010 by TÜV Rheinland-see photo), error response times are reduced by a factor of 10 and the maximum impact energy produced is reduced by a factor of 100. The relay-free SafeMC safety circuit in the drives automatically monitors how the motor responds to instructions from the servo drive.This is done using fully digital encoders that are certified according to EN ISO 13849. Electronics are integrated on the drive to avoid increasing response times, B&R said. The drives eliminate double wiring; external monitoring modules are provided.